hitrust-expert

star 308

HITRUST CSF expert for healthcare security. Implementation guidance, assessment workflow, and mapping to HIPAA/NIST/ISO/PCI frameworks. References control IDs only — not a replacement for a licensed CSF copy.

GRCEngClub By GRCEngClub schedule Updated 4/18/2026
play_arrow Run Skill in Manus View GitHub

name: hitrust-expert description: HITRUST CSF expert for healthcare security. Implementation guidance, assessment workflow, and mapping to HIPAA/NIST/ISO/PCI frameworks. References control IDs only — not a replacement for a licensed CSF copy. allowed-tools: Read, Glob, Grep, Write

HITRUST Expert

Deep expertise in HITRUST Common Security Framework (CSF) for healthcare and business-associate organizations.

Important — normative text. HITRUST CSF is proprietary and subscription-required. This skill provides implementation guidance, assessment workflow, and evidence patterns — phrased in the author's own words. All normative control statements, scoring rubrics, and MyCSF-specific requirement language must be read from your licensed CSF. When a command in this plugin quotes a control description, it is a paraphrased summary; consult the CSF for authoritative text.

Expertise Areas

HITRUST Alliance Overview

Mission: Create security and privacy programs that can be certified Founded: 2007 Purpose: Address security/privacy challenges in healthcare industry Key Value: Single framework harmonizing 40+ regulations and standards

HITRUST CSF (Common Security Framework)

Current Version: CSF v11 (as of 2024) Control Objectives: 156 across 19 domains Customization: MyCSF tailored assessment Certifications: i1, r2, e1

Assessment Types

Type Full Name Duration Assessor Validity Use Case
i1 Implemented, 1-year 3-6 months Self or validated 1 year Initial cert, vendors
r2 Reportable, 2-year 6-12 months External required 2 years Providers, high assurance
e1 e1 Assessment 3-6 months Can be self Bridge Upgrade i1 to r2

i1 Assessment:

  • Demonstrates control implementation
  • Self-assessment or externally validated
  • Less rigorous than r2
  • Lower cost ($30K-$80K validated)
  • Good for: Vendors, BAs, initial certification

r2 Assessment:

  • Full external validation required
  • Independent HITRUST assessor
  • Comprehensive testing
  • Higher cost ($100K-$300K+)
  • Required for: Healthcare providers, payers, high-risk BAs

e1 Assessment:

  • Bridges i1 to r2 in year 2
  • Validates changes since i1
  • Extends certification to 2-year cycle
  • Cost-effective staged approach

MyCSF Customization

HITRUST CSF requirements tailored based on:

Organization Factors:

  1. Type: Provider, payer, clearinghouse, BA, vendor, other
  2. Size:
    • Small: <$20M revenue or <20 employees
    • Medium: Mid-sized
    • Large: >$1B revenue or >1000 employees
  3. System Type: SaaS, on-premise, hybrid, mobile
  4. Regulatory Factors: HIPAA, state laws, international regs

Customization Result:

  • Not Applicable: Requirements excluded
  • Implementation Levels:
    • Baseline: Minimum requirements
    • Middle: Moderate requirements
    • Enhanced: Advanced requirements

19 Control Domains

  1. Information Security Management Program (01) - 12 controls

    • Security governance
    • Risk management program
    • Compliance management

  2. Access Control (02) - 14 controls

    • User access management
    • Privileged access
    • Access reviews
    • Remote access

  3. Human Resources Security (03) - 8 controls

    • Background screening
    • Terms of employment
    • Termination procedures

  4. Risk Management (04) - 5 controls

    • Risk assessment methodology
    • Risk treatment
    • Acceptance criteria

  5. Security Policy (05) - 3 controls

    • Information security policy
    • Review and updates

  6. Organization of Information Security (06) - 8 controls

    • Management commitment
    • Security roles
    • Contact with authorities

  7. Compliance (07) - 6 controls

    • Legal requirements
    • Privacy obligations
    • Intellectual property

  8. Asset Management (08) - 7 controls

    • Asset inventory
    • Information classification
    • Media handling

  9. Physical and Environmental Security (09) - 11 controls

    • Secure areas
    • Physical entry controls
    • Equipment security
    • Disposal

  10. Communications and Operations Management (10) - 23 controls

    • Change management
    • Capacity management
    • Malware protection
    • Backup
    • Network security

  11. Information Systems Acquisition, Development and Maintenance (11) - 15 controls

    • Security requirements
    • Secure development
    • Cryptographic controls

  12. Information Security Incident Management (12) - 6 controls

    • Incident response plan
    • Reporting procedures
    • Collection of evidence

  13. Business Continuity Management (13) - 5 controls

    • BCM process
    • Continuity planning
    • Testing

  14. Network Protection (14) - 7 controls

    • Network architecture
    • Segmentation
    • Firewall management

  15. Password Management (15) - 6 controls

    • Password policies
    • Storage and transmission
    • Multi-factor authentication

  16. Education, Training and Awareness (16) - 4 controls

    • Security awareness
    • Role-based training

  17. Third Party Assurance (17) - 6 controls

    • Business associate agreements
    • Vendor risk management
    • Cloud service provider oversight

  18. Mobile Device Security (18) - 5 controls

    • Mobile device policy
    • BYOD management
    • Mobile application security

  19. Incident Detection and Response (19) - 5 controls

    • Monitoring and detection
    • Security information and event management (SIEM)
    • Threat intelligence

Framework Harmonization

HITRUST CSF maps to 40+ frameworks including:

Primary Frameworks:

  • HIPAA Security and Privacy Rules
  • NIST 800-53, Cybersecurity Framework
  • ISO/IEC 27001:2013, 27002
  • PCI DSS v3.2.1
  • FedRAMP Moderate Baseline

Additional Frameworks:

  • AICPA Trust Services Criteria (SOC 2)
  • COBIT 5
  • GDPR
  • FISMA
  • FDA Medical Device Guidance
  • CMS MARS-E
  • State breach notification laws
  • Canadian PIPEDA
  • UK Data Protection Act

Benefits of Harmonization:

  • Single assessment covers multiple requirements
  • Reduced audit fatigue
  • Streamlined compliance
  • Consistent control language

Certification Process

Phase 1: Preparation (2-4 months)

  1. Gap assessment
  2. Remediation planning
  3. Control implementation
  4. Documentation
  5. Self-assessment

Phase 2: Assessment (1-3 months)

  1. Assessor selection (for validated/r2)
  2. Scoping and kickoff
  3. Evidence collection
  4. Interviews and testing
  5. Assessor review

Phase 3: Certification (1-2 months)

  1. Corrective action (if needed)
  2. Final review
  3. Certification decision
  4. Certificate issuance

Ongoing: Surveillance

  • Continuous monitoring
  • Interim assessments
  • Change notifications
  • Annual recertification (i1) or biennial (r2)

Common Implementation Challenges

  1. Scope Definition:

    • System boundaries unclear
    • Data flows not documented
    • Inherited controls from cloud providers

  2. Resource Constraints:

    • Limited security staff
    • Budget limitations
    • Competing priorities

  3. Documentation Gaps:

    • Policies outdated or missing
    • Procedures not formalized
    • Evidence not collected systematically

  4. Technical Deficiencies:

    • MFA not fully deployed
    • Encryption gaps
    • Logging/monitoring insufficient
    • Vulnerability management immature

  5. Organizational:

    • Lack of executive support
    • Unclear roles and responsibilities
    • Change management resistance

Critical Controls (High Failure Rate)

  1. 09.ab - Encryption of ePHI at Rest
  2. 10.k - Encryption in Transit
  3. 15.d - Multi-Factor Authentication
  4. 10.j - Audit Logging
  5. 12.a - Incident Response Plan
  6. 13.a - Business Continuity Plan
  7. 17.a - Business Associate Agreements
  8. 04.a - Risk Assessment

Evidence Requirements

Common Artifacts Needed:

  • Information security policies
  • Risk assessment reports
  • Business impact analysis
  • System security plans
  • Network diagrams
  • Data flow diagrams
  • Asset inventories
  • Access control matrices
  • Audit logs
  • Vulnerability scan reports
  • Penetration test reports
  • Security awareness training records
  • Incident response plans and tests
  • Business continuity/disaster recovery plans
  • Business associate agreements
  • Vendor risk assessments
  • Change management records

Cost Considerations

i1 Validated Assessment:

  • Assessor fees: $30K-$80K
  • Remediation: $50K-$150K
  • Tools/tech: $20K-$50K
  • Internal effort: 500-1000 hours
  • Total: $100K-$280K

r2 Assessment:

  • Assessor fees: $100K-$300K
  • Remediation: $150K-$500K
  • Tools/tech: $50K-$150K
  • Internal effort: 1000-2000 hours
  • Total: $300K-$950K+

Costs vary by scope, readiness, and organization size

Certification Benefits

Regulatory:

  • Demonstrates HIPAA compliance
  • Satisfies breach safe harbor (some states)
  • Shows due diligence

Business:

  • Competitive differentiator
  • Customer confidence
  • BAA credibility
  • Reduced audit burden
  • Streamlined vendor assessments

Operational:

  • Improved security posture
  • Standardized processes
  • Better risk visibility
  • Incident readiness

Capabilities

  • HITRUST CSF assessment planning (i1, r2, e1)
  • MyCSF scoping and customization
  • Gap analysis and remediation roadmaps
  • Control implementation guidance (156 controls)
  • Evidence collection and documentation
  • Assessor selection and management
  • Framework mapping (HIPAA, NIST, ISO, PCI-DSS)
  • Business associate agreement review
  • Vendor risk assessment (HITRUST CSF perspective)
  • Continuous monitoring and surveillance
  • Certification maintenance
Install via CLI
npx skills add https://github.com/GRCEngClub/claude-grc-engineering --skill hitrust-expert
Repository Details
star Stars 308
call_split Forks 67
navigation Branch main
article Path SKILL.md
Occupations
Health Information Technologists And Medical Registrars 299021
More from Creator
GRCEngClub
GRCEngClub Explore all skills →